Security Sandboxes: A Great Reason to Upgrade

The main reason to upgrade is that the newer versions of Windows and Mac OS X implement something called a security sandbox.

Suppose you get hungry, and want a recipe for a sandwich.  So, you download some recipe software, install it, download a recipe for a sandwich, and make yourself a sandwich.  If you accidentally chose a recipe program that is malicious, while you have been making your sandwich, your recipe program could access your Quicken data, send it to HACKERS_R_US.COM, where hackers decode the Quicken file, obtain your banking passwords, and login to the your banks website as you, and write themselves a check.

What?  My recipe program can access my Quicken data?  Yes (if you use the same login all the time).  That’s why you put Quicken on your top-secret computer (always disconnected from the Internet), and your recipe program on your online computer.  Unless of course your secret plan to become a billionaire involves making killer scones to sell at Starbucks.  In that case, you would want the recipe program (with your FABULOUS scone recipes) on your top-secret computer too.  🙂

Basically, if you are using the same login, all your programs can access the data of all your other programs.  A more accurate, detailed description of the problem is in my blog article here: All Your Programs Can Access Your Quicken Data.  Microsoft’s comment about this is: “An authenticated user can see all of their documents, and so can the running programs.  This is the basic security design of Windows, and not something we intend to change.”

Think about that for a minute.  That’s why you shouldn’t just install anything you find on the Internet.  For example, one fake Android app steals data and then chastises you for trying to get around paying for the real app!

Now, how can we address this?

For Windows, you need to be running Windows 8 or later.  You also need to limit yourself to applications that you can purchase through the Windows App Store.  Why is that?  To be advertised in the Windows App Store, Windows developers have to implement something called a security sandbox.  If you download and install any application from somewhere else, there is no guarantee that the software does that.

“Windows Store apps are very different from Windows Desktop apps. Windows Store apps follow in the footsteps of iOS and Android development, providing a relatively small instruction set, a deployment and lifecycle model, and a sandbox for execution.”

So, Windows Store apps have a security sandbox for execution.  That’s good.  What about Windows Desktop apps, the Windows apps that you know and love and have already purchased?  They use the older security rules, so the problem described above applies to them too.  If you’re logged in as the same user, every Windows Desktop app can access all the data of every other Windows Desktop app.  Ugh.

On the surface, the situation with Apple Macs is not much different.  For Macs, you need to be running Mac OS X Mountain Lion (10.8 or later) to get the sandbox technology.  You also need to limit yourself to applications that you can purchase through the Apple App Store, for a similar reason.  Remember all the Mac programs that you know and love and have already purchased?  They use the older security rules, so the problem described above applies to them too.  Ugh.

I heard from a friend of mine, Paul Adams, who is very knowledgeable about Apple products:  His comments:

a)      All apps purchased through the app store for Mac OS X are sandboxed.  It’s a requirement for developers who submit apps to the store to support it.

b)      Look at the “gatekeeper” in Mac OS X 10.8 as well.  It checks apps you install from the internet and will only let you run apps from “Trusted Developers” (an online list maintained by Apple). This is a medium type security setting for people who don’t want to be restricted to only the app store downloads but want to have some restrictions from the free-wheeling internet.

If you want to upgrade to Mac OS X Mountain Lion (10.8), it may not be as easy as you think.  I have a Mac at home that my wife uses.  We bought it in 2006.  It still works just fine, thank you.  Being security conscious, I wanted to upgrade to Mountain Lion (10.8).  I upgraded to Mac OS X Lion (10.7) earlier, and it was pretty easy.  No issues.  So, I looked at the hardware requirements for Mountain Lion, and my Mac met the hardware requirements.  It was older, but I thought it is had the right hardware, so it should work OK.  When I tried to upgrade, it said it wouldn’t work for my computer.  Are there some additional hardware requirements that are not listed?  Not sure about this one, and I’m not too pleased that I have to buy a new Mac to run Mountain Lion.

What to do:

a)      Upgrade your old computers to the latest version of the OS (Windows, OS X, etc.).  If you can do that, you can benefit from the new security features.

b)      For Windows, update to Windows 8 or later, and purchase and run only apps from the Windows App Store.

c)       For Mac OS X, update to Mac OS X Mountain Lion (10.8) or later, and purchase and run only apps from the Apple App Store.

d)      Don’t worry about Apple iPads and iPhones as much.  Those devices are running Apple iOS, which requires all programs to run in a security sandbox.

e)       For Linux, I don’t know of a similar easy way to implement sandboxing.  (Don’t get me wrong.  I love Linux.  I use it every day, and the company where I work runs large businesses on Linux.)  Linux has plenty of security mechanisms, but I don’t know of an easy way to implement sandboxing.

f)        If you don’t have the extra cash to spend on new hardware and software, take a look at Ubuntu.  Ubuntu is the most consumer friendly version of Linux.  It is free to download, and you can also download hundreds of free Linux apps, including a free office suite.  It won’t have all the latest Microsoft or Apple security changes, but for a second computer, it would certainly be cheap.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>